e256e71340c2d28a267a681ac09c835c963d75dd93e4a89b90966b92237c3a25

Analysis

max time kernel
147s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
08/09/2024, 10:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Full-Setup.exe
Size

14.0MB
MD5

1695d5736b3e7cf17724630bbd642cd9
SHA1

ac72e7d29b994776e57b1782559128fe33a75f75
SHA256

e256e71340c2d28a267a681ac09c835c963d75dd93e4a89b90966b92237c3a25
SHA512

3cfd8d5f438cb44c159d47360422b9e589da2d280cf3c08c4e967ffef7112dda25e2b8c53b4a7065fefdc2b6eadbc6498a0e135299e1858126b0f05bfba71ab5
SSDEEP

98304:pkCJlnxraeJiWVKQi7kmeHh2yeH7rkfvVs:YWwQi7ZkfvVs

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4604 set thread context of 3392	4604	Full-Setup.exe	79

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Full-Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 3392	4604	Full-Setup.exe	79
PID 4604 wrote to memory of 3392	4604	Full-Setup.exe	79
PID 4604 wrote to memory of 3392	4604	Full-Setup.exe	79
PID 4604 wrote to memory of 3392	4604	Full-Setup.exe	79
PID 4604 wrote to memory of 3392	4604	Full-Setup.exe	79
PID 4604 wrote to memory of 3392	4604	Full-Setup.exe	79
PID 4604 wrote to memory of 3392	4604	Full-Setup.exe	79
PID 4604 wrote to memory of 3392	4604	Full-Setup.exe	79
PID 4604 wrote to memory of 3392	4604	Full-Setup.exe	79

C:\Users\Admin\AppData\Local\Temp\Full-Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Full-Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3392-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3392-1-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3392-2-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3392-3-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3392-4-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download